e066dabecd400d831259d1bb2c0e17c9c14736b1ed8c32c6c46ef2f39f974cf5

General

Target

e629edf7ddeea4d35859255dfc10e170N.exe
Size

1.1MB
MD5

e629edf7ddeea4d35859255dfc10e170
SHA1

33c14a89a83e15b091fccfee0287cd0b25b53476
SHA256

e066dabecd400d831259d1bb2c0e17c9c14736b1ed8c32c6c46ef2f39f974cf5
SHA512

5c4fe84cbca1168f29e35379353e1a0f0b9858ecfc238cf0b68fdfe0b35db2f7ecac54fb26bc9d690b7c85e07c3d048cee5cf5047bf1a0e0bf4df7c4f68c28e8
SSDEEP

24576:h0W8HM9IgSFeG4VP47LtOnjhgWHeRHcoZlG4g5wDQL2DB/:h6i0cnlHeRrlG4g5ec29

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	e629edf7ddeea4d35859255dfc10e170N.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	e629edf7ddeea4d35859255dfc10e170N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e629edf7ddeea4d35859255dfc10e170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2516	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2516	e629edf7ddeea4d35859255dfc10e170N.exe
2516	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2220	2516	e629edf7ddeea4d35859255dfc10e170N.exe	30
PID 2516 wrote to memory of 2220	2516	e629edf7ddeea4d35859255dfc10e170N.exe	30
PID 2516 wrote to memory of 2220	2516	e629edf7ddeea4d35859255dfc10e170N.exe	30
PID 2516 wrote to memory of 2220	2516	e629edf7ddeea4d35859255dfc10e170N.exe	30

C:\Users\Admin\AppData\Local\Temp\e629edf7ddeea4d35859255dfc10e170N.exe
"C:\Users\Admin\AppData\Local\Temp\e629edf7ddeea4d35859255dfc10e170N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
78663c4dffc71ab347eaeb23f26fbe03

SHA1
f505e1941c9c521da0e867b59e9e226ce6b09fbc

SHA256
015f8d58416a188cf25ceb5ed1af29c9573afddcb84534b8b23e7bb03c0e550a

SHA512
776d1b22e0bf232c16976bb678e9656eff446de91557afb9deaedb5b2f3f97fc33e356bc069d6e9c6a9e9e1bbdcda86de1014eac9ee5c4d246994dd5973cbad4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
2af5dbdbb9b68376520f391dcb0a2d32

SHA1
459eaa7157b9db3e2f2b5b643f3d1033e465805c

SHA256
8ba540188506cacc7769a16f0b89cb4e1a929f76e852bab7510be2853f615e98

SHA512
4092985a5008fa873aa0b0dda1259decabb858786abcf62d6aebf2a197dcf94ba0c2f0e1b33ca99246b309f6d630c725bd3c678e424aaa98372dc1bab34e12fe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86a459f354edf141b74fb260bd94b996

SHA1
4975d33c15f7a3f85c4b413f0e1a6afbcc117962

SHA256
fcbcc497ca10a6c93efb4378391e6434a48f7246db464ff83d1748bad0e769c2

SHA512
bc08eef7ef81031830d64bd921346aade39dfca99b8df83143bb1544c9f002381a337bebc18ab6f153f8a9e8b7f1da37e276c1a0bc5ad46219d499b80a822ff5

Download Submit
memory/2516-0-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2516-16-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2516-19-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2516-22-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2516-26-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2516-29-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2516-32-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads